U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS Final Audit Report Audit of Information Systems General and Application Controls at AultCare Health Plan Report Number 1C-3A-00-15-012 January 21, 2016 -- CAUTION -- This audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit report may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available under the Freedom of Information Act and made available to the public on the OIG webpage (http://www.opm.gov/our-inspector-general), caution needs to be exercised before releasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy. EXECUTIVE SUMMARY Audit of the Information Systems General and Application Controls at AultCare Health Plan Report No. 1C-3A-00-15-012 January 21, 2016 Why Did We Conduct the Audit? What Did We Find? The objectives of this audit were to Our audit of the IT security controls of AultCare determined that: evaluate controls over the AultCare has established an adequate security management confidentiality, integrity, and program. availability of Federal Employee Health AultCare has implemented controls to prevent unauthorized Benefit Plan (FEHBP) data processed physical access to its facilities, as well as logical controls to protect and maintained in the AultCare Health sensitive information. However, there is no technical control to Plan (AultCare) information technology detect or prevent at AultCare’s data center and other (IT) environment. sensitive areas at its facility. AultCare has implemented an incident response and network What Did We Audit? security program. However, we noted several areas of concern related to AultCare’s network security controls: The scope of this audit centered on the o AultCare has not determined what auditable events should be information systems used by AultCare logged and reviewed as a part of its incident response program. to process medical insurance claims for o A firewall baseline configuration standard is not in place. FEHBP members, with a primary focus o on the claims adjudication applications. o o AultCare’s vulnerability management program could be improved. o A methodology is not in place to ensure that unsupported or out-of-date software is not utilized. AultCare has developed a configuration management process for its operating platforms. However, formal baseline configuration standards are not in place for all servers and database platforms used by AultCare, and routine compliance auditing is not conducted. AultCare has implemented many controls in its claims adjudication process to ensure that FEHBP claims are processed accurately. _______________________ Michael R. Esser Assistant Inspector General for Audits i ABBREVIATIONS the Act The Federal Employees Health Benefits Act AultCare AultCare Health Plan CFR Code of Federal Regulations FEHBP Federal Employees Health Benefits Plan FISCAM Federal Information System Controls Audit Manual GAO U.S. Government Accountability Office IT Information Technology NIST National Institute of Standards and Technology OIG Office of the Inspector General OMB Office of Management and Budget OPM U.S. Office of Personnel Management SP Special Publication ii IV. MAJOR CONTRIBUTORS TO THIS REPORT TABLE OF CONTENTS Page EXECUTIVE SUMMARY ........................................................................................ i ABBREVIATIONS ..................................................................................................... ii I. BACKGROUND ..........................................................................................................1 II. OBJECTIVES, SCOPE, AND METHODOLOGY ..................................................2 III. AUDIT FINDINGS AND RECOMMENDATIONS.................................................4 A. Security Management .............................................................................................4 B. Access Controls .......................................................................................................5 C. Network Security .....................................................................................................7 D. Configuration Management ...................................................................................12 E. Contingency Planning............................................................................................13 F. Claims Adjudication ..............................................................................................15 IV. MAJOR CONTRIBUTORS TO THIS REPORT ..................................................18 V. APPENDIX: AultCare Heath Plan’s November 16, 2015 response to the draft audit report, issued September 16, 2015 REPORT FRAUD, WASTE, AND MISMANAGEMENT IV. MAJOR CONTRIBUTORS I. BACKGROUND TO THIS REPORT This final report details the findings, conclusions, and recommendations resulting from the audit of general and application controls over the information systems responsible for processing Federal Employees Health Benefits Program (FEHBP) claims by AultCare Health Plan (AultCare). The audit was conducted pursuant to FEHBP contract CS 2723; 5 U.S.C. Chapter 89; and 5 Code of Federal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office of Personnel Management’s (OPM) Office of the Inspector General (OIG), as established by the Inspector General Act of 1978, as amended. The FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on September 28, 1959. The FEHBP was created to provide health insurance benefits for federal employees, annuitants, and qualified dependents. The provisions of the Act are implemented by OPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance coverage is made available through contracts with various carriers that provide service benefits, indemnity benefits, or comprehensive medical services. All AultCare personnel that worked with the auditors were helpful and open to ideas and suggestions. They viewed the audit as an opportunity to examine practices and to make changes or improvements as necessary. Their positive attitude and helpfulness throughout the audit was greatly appreciated. This was our first audit of AultCare’s information technology (IT) general and application controls. We discussed the results of our audit with OPM and AultCare representatives at an exit conference. 1 Report No. 1C-3A-00-15-012 IV. MAJOR CONTRIBUTORS II. OBJECTIVES, SCOPE, AND TO THIS REPORT METHODOLOGY Objectives The objectives of this audit were to evaluate controls over the confidentiality, integrity, and availability of FEHBP data processed and maintained in AultCare’s IT environment. We accomplished these objectives by reviewing the following areas: Security management; Access controls; Network security; Configuration management; Contingency planning; and Application controls specific to AultCare’s claims processing systems. Scope and Methodology This performance audit was conducted in accordance with generally accepted government auditing standards issued by the Comptroller General of the United States. Accordingly, we obtained an understanding of AultCare’s internal controls through interviews and observations, as well as inspection of various documents, including IT and other related organizational policies and procedures. This understanding of AultCare’s internal controls was used in planning the audit by determining the extent of compliance testing and other auditing procedures necessary to verify that the internal controls were properly designed, placed in operation, and effective. The scope of this audit centered on the information systems used by AultCare to process medical insurance claims for FEHBP members, with a primary focus on the claims adjudication process. The business processes reviewed are primarily located in AultCare’s Canton, Ohio facility. The on-site portion of this audit was performed in February and March of 2015. We completed additional audit work before and after the on-site visit at our office in Washington, D.C. The findings, recommendations, and conclusions outlined in this report are based on the status of information system general and application controls in place at AultCare as of April 2015. In conducting our audit, we relied to varying degrees on computer-generated data provided by AultCare. Due to time constraints, we did not verify the reliability of the data used to complete some of our audit steps but we determined that it was adequate to achieve our audit objectives. However, when our objective was to assess computer-generated data, we completed audit steps necessary to obtain evidence that the data was valid and reliable. In conducting this review we: Gathered documentation and conducted interviews; Reviewed AultCare’s business structure and environment; 2 Report No. 1C-3A-00-15-012 Performed a risk assessment of AultCare’s information systems environment and applications, and prepared an audit program based on the assessment and the Government Accountability Office’s (GAO) Federal Information System Controls Audit Manual (FISCAM); and Conducted various compliance tests to determine the extent to which established controls and procedures are functioning as intended. As appropriate, we used judgmental sampling in completing our compliance testing. Various laws, regulations, and industry standards were used as a guide to evaluating AultCare’s control structure. These criteria include, but are not limited to, the following publications: Title 48 of the Code of Federal Regulations; Office of Management and Budget (OMB) Circular A-130, Appendix III; OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; Information Technology Governance Institute’s COBIT: Control Objectives for Information and Related Technology; GAO’s FISCAM; National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-12, Introduction to Computer Security; NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems; NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments; NIST SP 800-34 Revision 1, Contingency Planning Guide for Information Technology Systems; NIST SP 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy; NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations; and NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide. Compliance with Laws and Regulations In conducting the audit, we performed tests to determine whether AultCare’s practices were consistent with applicable standards. While generally compliant, with respect to the items tested, AultCare was not in complete compliance with all standards as described in the “Audit Findings and Recommendations” section of this report. 3 Report No. 1C-3A-00-15-012 IV. AUDIT III. MAJOR CONTRIBUTORS FINDINGS TO THIS REPORT AND RECOMMENDATIONS A. Security Management The security management component of this audit involved an examination of the policies and procedures that are the foundation of AultCare’s overall IT security controls. We evaluated AultCare’s ability to develop security policies, manage risk, assign security-related responsibility, and monitor the effectiveness of various system-related controls. AultCare has implemented a series of formal policies and procedures that comprise its security management program. AultCare has also developed a thorough risk management methodology that allows AultCare to document, track, and mitigate or accept identified risks in a timely manner. AultCare also has adequate human resources policies and procedures related to hiring, training, transferring, and terminating employees. Although it does have many security management controls in place, AultCare has AultCare does not have a formal training requirement for individuals developed a with specialized IT security responsibility. thorough risk management NIST SP 800-53, Revision 4, requires organizations to provide role- methodology. based security training to personnel with assigned security roles and responsibilities. Requiring employees with specialized IT security responsibility to take routine training specifically tailored for their assigned duties increases their ability to address the constant changes in IT security best-practices. Recommendation 1 We recommend that AultCare implement requirements for routine training for employees with specialized IT security responsibility. AultCare Response: “COMPLETE - AultCare agrees and has updated all applicable job descriptions with mandatory annual training hours.” OIG Reply: In its response to our draft audit report AultCare provided sufficient evidence to address this recommendation; no further action is required. 4 Report No. 1C-3A-00-15-012 B. Access Controls Access controls are the policies, procedures, and controls used to prevent or detect unauthorized physical or logical access to sensitive resources. We examined the physical access controls at AultCare’s facilities and data centers located in and , Ohio. We also examined the logical controls protecting sensitive data in AultCare’s network environment and applications. The access controls observed during this audit include, but are not limited to: Procedures for appropriately granting physical access to facilities and data centers; Procedures for appropriately granting, adjusting, and removing information system access; Strong environment controls within the data centers; and Controls to monitor and filter e-mail and Internet activity. The following sections document opportunities for improvement related to AultCare’s physical access controls. 1) Access to the Primary Data Center, Sensitive Areas, and Data Center Co-Location AultCare’s office space is located within the Aultman Hospital facility, and electronic access cards are used to access the AultCare floors. AultCare’s primary data center, staging room, and telecommunication room are located onsite within this office space, and are protected by an additional card reader. However, we expect the data center and other sensitive spaces of all FEHBP contractors to have the following additional controls: A technical or physical control to detect or prevent ; and . AultCare’s data center co-location (backup data center) does require , but it does not have or . Failure to implement adequate physical access controls increases the risk that unauthorized individuals can gain access to confidential data. NIST SP 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations,” provides guidance for adequately controlling physical access to information systems containing sensitive data. Recommendation 2 We recommend that AultCare conduct a review of its physical access controls and implement some form of , , and (co-location only) for the data centers and other sensitive areas at its facilities. 5 Report No. 1C-3A-00-15-012 AultCare Response: “IN PROCESS - AultCare is evaluating current physical access controls and actively quoting available options. An policy is being created and AultCare will implement mandatory staff training by . Implementation of and (co-location only) is projected to take place by .” OIG Reply: As a part of the audit resolution process, we recommend AultCare provide OPM’s Healthcare and Insurance Audit Resolution Group with evidence that AultCare has fully implemented this recommendation. This statement applies to all subsequent recommendations in this audit report that AultCare agrees to implement. 2) Physical Access Recertification AultCare has implemented procedures to remove physical access privileges for terminated employees. However, AultCare does not have a process in place to periodically audit a list of individuals with physical access privileges against a list of current employees. In addition to ensuring that the access cards for terminated employees have been disabled, the audit should ensure that the level of access granted to each employee is appropriate and only allows them access to the areas necessary to perform their job function. We independently compared a list of employees with active access to the AultCare facility to a list of employees that were terminated within the last year, and discovered that several employees retained access to the facility after their termination. NIST SP 800-53, Revision 4, states that an organization must review and analyze system audit records for indications of inappropriate or unusual activity. Failure to audit physical access privileges increases the risk that a terminated employee could enter a facility and steal, modify, or delete sensitive and proprietary information. Recommendation 3 We recommend that AultCare implement a process for routinely auditing all active access cards to ensure that they are not assigned to terminated employees, and that the areas of access granted to each employee is appropriate to their position. This process should include written confirmation from managers. AultCare Response: “COMPLETE - AultCare agrees with this recommendation, established the baseline and implemented a policy as of May 2015. AultCare began performing weekly routine audits to monitor this activity in May 2015 and continues to do so.” 6 Report No. 1C-3A-00-15-012 OIG Reply: In its response to our draft audit report AultCare provided sufficient evidence to address this recommendation; no further action is required. C. Network Security Network security includes the policies and controls used to prevent or monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. AultCare has implemented an incident response and network security program. However, we noted several opportunities for improvement related to AultCare’s network security controls. 1) Audit Logging AultCare could AultCare has documented policies and procedures related to incident improve its response. However, AultCare has not determined what auditable controls related events its information systems can and should log, and has not to system logging implemented a process to routinely review system logs. and monitoring. NIST SP 800-53, Revision 4, states that an organization must determine the information system is capable of auditing a list of defined events set by the organization. NIST also states that the organization should review and analyze the information system audit records and report the findings. Failure to log and review information system auditable events increases the risk that AultCare will not be able to identify and respond to security incidents in a timely manner. Recommendation 4 We recommend that AultCare determine what auditable events its information systems are capable of recording, determine which events are beneficial to log, and implement the technical changes to begin collecting log data. In addition, AultCare should implement a procedure for routinely reviewing the audit logs. AultCare Response: “IN PROCESS - AultCare agrees and has software in place including , and, as of October 12, 2015, that actively tracks network and system management logs. The logs are reviewed on a routine basis.” 2) Firewall Management AultCare has implemented firewalls to protect its network environment, and we did not identify any concerns with the firewall architecture. However, AultCare has not established a formal firewall baseline configuration standard, nor a procedure to routinely audit current firewall settings against a baseline. 7 Report No. 1C-3A-00-15-012 NIST SP 800-41, Revision 1, states that a firewall policy should dictate how firewalls handle network traffic based on the organization’s information security policies, and a risk analysis should be performed to determine types of traffic needed by the organization. The policy should also include specific guidance on how to address changes to the rule set. Failure to develop a firewall configuration policy and manage the settings increases AultCare’s exposure to unsecure traffic and vulnerabilities. Recommendation 5 We recommend that AultCare develop a corporate firewall baseline configuration and implement a process for routinely auditing actual firewall settings against the baseline. AultCare Response: “IN PROCESS - AultCare agrees with the recommendation and has begun the process of establishing an independent firewall and creating the baseline. The estimated completion date for this project is .” 3) Recommendation 6 We recommend that AultCare implement . AultCare Response: “IN PROCESS - AultCare agrees and is in the process of . Full implementation is expected by .” 8 Report No. 1C-3A-00-15-012 4) Recommendation 7 AultCare Response: “IN PROCESS - AultCare agrees and is beginning to establish . Expected implementation date is .” 5) Vulnerability Scanning/Remediation AultCare should AultCare utilizes a 3rd party contractor to conduct annual perform routine penetration testing on its technical environment. After the vulnerability scanning testing has been completed, AultCare works to remediate any on its systems. vulnerabilities identified in a timely manner. However, AultCare does not have its own vulnerability scanning tools nor procedures to conduct more routine scans and remediate any vulnerabilities identified. It is best practice to perform vulnerability scanning on a relatively frequent basis (measured in weeks or months, but not annually) - especially in today’s IT security environment where new vulnerabilities are discovered on a daily basis. NIST SP 800-53 states that an organization should routinely scan for vulnerabilities in the information systems and hosted applications. It also states that an organization should analyze vulnerability scan reports and results, then remediate the legitimate vulnerabilities. Failure to identify and remediate known vulnerabilities greatly increases the organization’s risk to easily exploited weaknesses. This may lead to a loss of personal health information and control of information systems and applications. 9 Report No. 1C-3A-00-15-012 Recommendation 8 We recommend that AultCare implement a process to perform routine automated vulnerability scans to ensure all known weaknesses within the information systems are identified in a timely manner. This process should include a methodology to analyze the vulnerability scan reports, identify legitimate vulnerabilities, and remediate them in a timely manner and/or document the acceptance of the risk. AultCare Response: “IN PROCESS - AultCare agrees with this recommendation and contracted with , a third party, to complete a Vulnerability Scan in May 2015. Results are available upon request. Remediation of the results is in process. AultCare will continue to have third party scans performed annually, at a minimum.” OIG Reply: Contracting vulnerability assessment work to a vendor is an acceptable approach to implementing this recommendation. However, as stated above, it is best practice to perform vulnerability scanning on a relatively frequent basis (measured in weeks or months, but not annually). Scanning only once per year increases the risks that unknown or un-remediated vulnerabilities exist for an extended period of time. We continue to recommend that AultCare perform weekly or monthly automated vulnerability scans in addition to its annual penetration test work. 6) Vulnerabilities Identified in Scans OIG test work As mentioned above, we believe that AultCare’s vulnerability identified a variety of management program could be improved. As part of this audit, system vulnerabilities we also independently performed our own automated that could have been vulnerability scans on a sample of AultCare’s servers, databases, detected by a mature web applications, and user workstations. Our test work vulnerability identified a variety of vulnerabilities that could have potentially assessment program. been previously detected and remediated by AultCare if it had a more mature vulnerability management program in place. The specific vulnerabilities that we identified will not be detailed in this report, but are summarized at a high level below. Copies of the full scan reports were provided directly to AultCare during the audit. System Patching AultCare appears to be generally compliant with its patch management policies and procedures. However, our scans detected several instances where critical patches were not installed in accordance with the policy. The missing patches included both operating system and third-party software. 10 Report No. 1C-3A-00-15-012 Antivirus Updates The results of the vulnerability scans indicated that several installations of AultCare’s antivirus software tool had out of date antivirus signatures. Noncurrent Software The results of the vulnerability scans indicated that several servers and workstations contained noncurrent software applications that were no longer supported by the vendors, and have known security vulnerabilities. AultCare had not documented a business need to maintain this software. Server Configuration Vulnerabilities The results of our scans identified that isolated server configuration vulnerabilities with known exploits exist in AultCare’s technical environment. Web Application Vulnerabilities The results of the web application vulnerability scans also indicated that the AultCare web application has several vulnerabilities that are susceptible to common malicious attack methods. FISCAM states that “Software should be scanned and updated frequently to guard against known vulnerabilities.” NIST SP 800-53, Revision 4, states that the organization must identify, report, and correct information system flaws and install security-relevant software and firmware updates promptly. FISCAM also states that “Procedures should ensure that only current software releases are installed in information systems. Noncurrent software may be vulnerable to malicious code such as viruses and worms.” The vulnerabilities identified in our test work increase the risk that a malicious attack on AultCare’s technical environment would be successful. Recommendation 9 We recommend that AultCare make the appropriate changes to its servers, workstations, and web applications to address the specific vulnerabilities identified in our vulnerability scans. AultCare Response: “IN PROCESS - AultCare agrees and has been addressing the results of the May 2015 external vulnerability scan. AultCare itself will be purchasing a scanning system, but will also continue to have a third party vendor scan annually. Results of each scan will be addressed accordingly. AultCare scanning system expected implementation date is June 30, 2016.” 11 Report No. 1C-3A-00-15-012 Recommendation 10 We recommend that AultCare implement a methodology to ensure that only current and supported versions of system software are installed on the production servers and workstations. If a business need necessitates the use of outdated software, AultCare should document this exception. AultCare Response: “IN PROCESS - AultCare agrees with this recommendation and is currently in the process of evaluating . Expected implementation date is .” D. Configuration Management We evaluated AultCare’s configuration management program as it relates to the operating platforms that support the processing of FEHBP claims, and determined that the following controls were in place: Established server build documents; and A system software change control process. The sections below document areas for improvement related to AultCare’s configuration management controls. 1) Security Baseline Configurations AultCare has not documented security baseline configuration standards for all operating platforms used in its technical environment. A baseline configuration is a formally approved policy or standard outlining how to securely configure an operating platform. NIST SP 800-53, Revision 4, states that an organization should develop, document, and maintain a current baseline configuration of the information system. Failure to establish approved system configuration settings increases the risk the system may not meet performance or security requirements defined by the organization. Recommendation 11 We recommend that AultCare document approved baseline configurations for all server and database platforms used in its environment. AultCare Response: “IN PROCESS - AultCare agrees and is in the process of creating Configuration Policies to document approved baselines for both and . The policies will be complete by December 31, 2015.” 12 Report No. 1C-3A-00-15-012 2) Configuration Compliance Auditing As noted above, AultCare does not maintain approved operating platform configuration baselines for its servers and databases. Therefore, AultCare cannot effectively audit the system’s security settings (i.e., there are no approved settings to which to compare the actual settings). FISCAM states that organizations should require, “current configuration information to be routinely monitored for accuracy. Monitoring should address the baseline and operational configuration of the hardware, software, and firmware that comprise the information system.” Failure to implement a thorough configuration compliance auditing program increases the risk that insecurely configured servers exist undetected, creating a potential gateway for malicious virus and hacking activity. Recommendation 12 We recommend that AultCare routinely audit all server and database security configuration settings to ensure they are in compliance with approved baselines. AultCare Response: “IN PROCESS - AultCare agrees and is in the process of documenting the approved baseline configurations. Upon completion, AultCare will begin routine audits. Implementation is to be expected by July 31, 2016.” E. Contingency Planning We reviewed the following elements of AultCare’s contingency planning program to determine whether controls were in place to prevent or minimize interruptions to business operations when disrupting events occur: Disaster recovery plan; Business continuity plan; and Emergency response procedures. We determined that the contingency planning documentation contained the critical elements suggested by NIST SP 800-34, Revision 1, “Contingency Planning Guide for Federal Information Systems.” AultCare has also identified and prioritized the systems and resources that are critical to business operations, and has developed detailed procedures to recover those systems and resources. 13 Report No. 1C-3A-00-15-012 AultCare has developed a The sections below document areas for improvement related to thorough disaster recovery AultCare’s contingency planning controls. plan, but has not completed a feasibility assessment or a 1) Feasibility Assessment functional test of this plan. AultCare’s current business continuity plan involves the use of approximately 20 user workstations that are stored at the backup facility. These machines would be loaded with the necessary software and provided to the users to continue AultCare’s business operations. However, AultCare’s employee population is approximately 500 individuals, and AultCare has not conducted a feasibility assessment to ensure that the number of on hand workstations would meet the needs of the organization in the event of a disaster. NIST SP 800-53, Revision 4, states an organization should develop a contingency plan that identifies essential missions and business functions and the associated contingency requirements. Failure to evaluate the feasibility of the business continuity plan increases the risk that an organization cannot maintain business operations when disrupting events occur. Recommendation 13 We recommend that AultCare conduct a feasibility assessment on the current contingency plan to ensure that it can meet the objectives set by the organization in the event of a disruption. AultCare Response: “IN PROCESS - AultCare agrees with this recommendation and will conduct a contingency plan feasibility test during first quarter of 2016. The estimated date of completion is March 1, 2016.” 2) Functional Disaster Recovery Tests AultCare has documented disaster recovery plans and conducts routine disaster recovery tabletop tests. However, AultCare has not conducted a functional disaster recovery test. This is further compounded by the fact that AultCare has not conducted a feasibility assessment to ensure they have the proper resources in place to recover from a disrupting situation. NIST SP 800-53, Revision 4, states that an organization should test the contingency plan for the information system to determine the effectiveness of the plan and organization readiness to execute the plan. 14 Report No. 1C-3A-00-15-012 Functional disaster recovery tests allow an organization to evaluate the effectiveness of the contingency plan. Failure to do so increases the risk that an organization cannot recover from a disrupting situation in a timely manner. Recommendation 14 We recommend that AultCare routinely conduct functional tests of its disaster recovery test to evaluate its effectiveness. AultCare Response: “COMPLETE - AultCare agrees and has completed a two part Functionality test which was concluded in October 2015.” OIG Reply: In its response to our draft audit report AultCare provided sufficient evidence to address this recommendation; no further action is required. F. Claims Adjudication The following sections detail our review of the applications and business processes supporting AultCare’s claims adjudication process. 1) Application Change Management AultCare has We evaluated the policies and procedures governing application implemented a development and change control of AultCare’s claims processing thorough application applications. change management program. AultCare has implemented policies and procedures related to application configuration management, and has also adopted a system development life cycle methodology that IT personnel follow during routine software modifications. We observed the following controls related to testing and approvals of software modifications: AultCare has adopted practices that allow modifications to be tracked throughout the change process; Code, unit, system, and quality testing are all conducted in accordance with industry standards; and AultCare uses a business unit independent from the software developers to move the code between development and production environments to ensure adequate segregation of duties. Nothing came to our attention to indicate that AultCare has not implemented adequate controls related to the application configuration management process. 15 Report No. 1C-3A-00-15-012 2) Claims Input, Processing, and Output Controls We evaluated the input, processing, and output controls associated with AultCare’s claims adjudication process. We have determined the following controls are in place over AultCare’s claims adjudication system: Routine reviews are conducted on AultCare’s front-end scanning process for incoming paper claims; Claims are monitored as they are processed through the system; and Claims output files are fully reconciled. During the review of the physical environment for claims input we noted that checks are not secured after they are identified in incoming mail. Failure to protect financial assets increases the probability of loss. Recommendation 15 We recommend that AultCare add a secure location for incoming checks in the mailroom. AultCare Response: “COMPLETE - AultCare agrees and created a Policy requiring all incoming FEHB[P] checks to be logged and housed in a locked cabinet until retrieved by the Finance.” OIG Reply: In its response to our draft audit report AultCare provided sufficient evidence to address this recommendation; no further action is required. 3) Enrollment We evaluated AultCare’s procedures for managing its member enrollment data. Enrollment information is received electronically and compared to the member database. Necessary changes are reported to the eligibility office and updated in the database. Changes are verified during the next database comparison. Nothing came to our attention to indicate that AultCare has not implemented adequate controls over the enrollment process. 4) Debarment We evaluated AultCare’s procedures for updating its claims system with debarred provider information. AultCare downloads the OPM OIG debarment list every month and makes the appropriate updates to its claims processing system. Providers are flagged in the system for both future and past claims. Any claim submitted for a debarred provider is flagged by AultCare to adjudicate through the OPM OIG debarment process to include initial notification, a 15-day grace period, and then denial of claims. 16 Report No. 1C-3A-00-15-012 Nothing came to our attention to indicate that AultCare has not implemented adequate controls over the debarment process. 5) Special Investigation/Fraud We evaluated AultCare’s policies and procedures surrounding its efforts to detect fraud and abuse in the FEHBP line of business. AultCare has implemented a special investigations unit that has access to all employees and facilities for investigation purposes. AultCare’s policy is to refer investigative cases to the OPM OIG only after fraud is confirmed. However, AultCare’s contract with OPM requires AultCare to immediately notify our office of all potential fraud cases. Recommendation 16 We recommend that AultCare update it policy to require the referral of all possible fraud cases to the OPM OIG. AultCare Response: “COMPLETE - AultCare agrees and updated the current Fraud Policy accordingly.” OIG Reply: In its response to our draft audit report AultCare provided sufficient evidence to address this recommendation; no further action is required. 17 Report No. 1C-3A-00-15-012 IV. MAJOR CONTRIBUTORS TO THIS REPORT Information Systems Audit Group , Lead IT Auditor-In-Charge , Lead IT Auditor , IT Auditor , Group Chief 18 Report No. 1C-3A-00-15-012 V. APPENDIX November 16, 2015 AultCare Health Plan , Compliance Officer th 2600 6 St. SW Canton, OH 44710 Reference: OPM Draft Audit Report AultCare Health Plan IT Audit Plan Code 3A Audit Report Number 1C‐3A‐00‐15‐012 The following report represents AultCare Health Plan’s response to the recommendations included in the Draft Audit Report dated September 16, 2015. Security Management Recommendation 1 ‐ We recommend that AultCare implement requirements for routine training for employees with specialized IT security responsibility. Response ‐ COMPLETE ‐ AultCare agrees and has updated all applicable job descriptions with mandatory annual training hours. See attachments A‐1 – A‐7. Access Controls Recommendation 2 ‐ We recommend that AultCare conduct a review of its physical access controls and implement some form of , , and (co‐location only) for the data centers and other sensitive areas at its facility. Response – IN PROCESS ‐ AultCare is evaluating current physical access controls and actively quoting available options. An policy is being created and AultCare will implement mandatory staff training by . Implementation of and (co‐location only) is projected to take place by . Recommendation 3 ‐ We recommend that AultCare implement a process for routinely auditing all active access cards to ensure that they are not assigned to terminated employees, and that the areas of access granted to each employee is appropriate to their position. This process should include written confirmation from managers. Response ‐ COMPLETE ‐ AultCare agrees with this recommendation, established the baseline and implemented a policy as of May 2015. AultCare began performing weekly routine audits to monitor this activity in May 2015 and continues to do so. See attachments B‐1 – B‐2 Report No. 1C-3A-00-15-012 Network Security Recommendation 4 ‐ We recommend that AultCare determine what auditable events its information systems are capable of recording, determine which events are beneficial to log, and implement the technical changes to begin collecting log data. In addition, AultCare should implement a procedure for routinely reviewing the audit logs. Response – IN PROCESS ‐ AultCare agrees and has software in place including , and, as of October 12, 2015, that actively tracks network and system management logs. The logs are reviewed on a routine basis. Recommendation 5 ‐ We recommend that AultCare develop a corporate firewall baseline configuration, and implement a process for routinely auditing actual firewall settings against the baseline. Response – IN PROCESS ‐ AultCare agrees with the recommendation and has begun the process of establishing an independent firewall and creating the baseline. The estimated completion date for this project is . Recommendation 6 ‐ We recommend that AultCare implement . Response –IN PROCESS ‐ AultCare agrees and is in the process of r . Full implementation is expected by Recommendation 7 ‐ . Response – IN PROCESS ‐ AultCare agrees and is beginning to establish an i . Expected implementation date is . Recommendation 8 ‐ We recommend that AultCare implement a process to perform routine automated vulnerability scans to ensure all known weaknesses within the information systems are identified in a timely manner. This process should include a methodology to analyze the vulnerability scan reports, identify legitimate vulnerabilities, and remediate them in a timely manner and/or document the acceptance of the risk. Response – IN PROCESS ‐ AultCare agrees with this recommendation and contracted with , a third party, to complete a Vulnerability Scan in May 2015. Results are available upon request. Remediation of the results is in process. AultCare will continue to have third party scans performed annually, at a minimum. Recommendation 9 ‐ We recommend that AultCare make the appropriate changes to its servers, workstations, and web applications to address the specific vulnerabilities identified in our vulnerability scans. Report No. 1C-3A-00-15-012 Response – IN PROCESS ‐ AultCare agrees and has been addressing the results of the May 2015 external vulnerability scan. AultCare itself will be purchasing a scanning system, but will also continue to have a third party vendor scan annually. Results of each scan will be addressed accordingly. AultCare scanning system expected implementation date is June 30, 2016. Recommendation 10 ‐ We recommend that AultCare implement a methodology to ensure that only current and supported versions of system software are installed on the production servers and workstations. If a business need necessitates the use of outdated software, AultCare should document this exception. Response – IN PROCESS ‐ AultCare agrees with this recommendation and is currently in the process of evaluating . Expected implementation date is . Configuration Management Recommendation 11 ‐ We recommend that AultCare document approved baseline configurations for all server and database platforms used in its environment. Response – IN PROCESS ‐ AultCare agrees and is in the process of creating Configuration Policies to document approved baselines for both and . The policies will be complete by December 31, 2015. Recommendation 12 ‐ We recommend that AultCare routinely audit all server and database security configuration settings to ensure that they are in compliance with approved baselines. Response – IN PROCESS ‐ AultCare agrees and is in the process of documenting the approved baseline configurations. Upon completion, AultCare will begin routine audits. Implementation is to be expected by July 31, 2016. Contingency Planning Recommendation 13 ‐ We recommend AultCare conduct a feasibility assessment on the current contingency plan to ensure that it can meet the objectives set by the organization in the event of a disruption. Response – IN PROCESS ‐ AultCare agrees with this recommendation and will conduct a contingency plan feasibility test during first quarter of 2016. The estimated date of completion is March 1, 2016. Recommendation 14 ‐ We recommend AultCare routinely conduct functional tests of its disaster recovery to evaluate its effectiveness. Response ‐ COMPLETE ‐ AultCare agrees and has completed a two part Functionality test which was concluded in October 2015. See attachments C‐1 – C‐2. Report No. 1C-3A-00-15-012 Claims Adjudication Recommendation 15 ‐ We recommend that AultCare add a secure location for incoming checks in the mailroom. Response ‐ COMPLETE ‐ AultCare agrees and created a Policy requiring all incoming FEHB checks to be logged and housed in a locked cabinet until retrieved by the Finance. See attachments D‐1 – D‐2. Recommendation 16 ‐ We recommend that AultCare update its policy to require the referral of all possible fraud cases to the OPM OIG. Response ‐ COMPLETE ‐ AultCare agrees and updated the current Fraud Policy accordingly. See attachment E. Thank you for providing the opportunity to respond to your recommendations and provide an update for the Final Report. If you have any questions, please feel free to contact me at 330‐363‐1363. Sincerely, Compliance Officer AultCare Attachments A‐E Report No. 1C-3A-00-15-012 Report Fraud, Waste, and Mismanagement Fraud, waste, and mismanagement in Government concerns everyone: Office of the Inspector General staff, agency employees, and the general public. We actively solicit allegations of any inefficient and wasteful practices, fraud, and mismanagement related to OPM programs and operations. You can report allegations to us in several ways: By Internet: http://www.opm.gov/our-inspector-general/hotline-to- report-fraud-waste-or-abuse By Phone: Toll Free Number: (877) 499-7295 Washington Metro Area: (202) 606-2423 By Mail: Office of the Inspector General U.S. Office of Personnel Management 1900 E Street, NW Room 6400 Washington, DC 20415-1100
Audit of Information Systems General and Application Controls at AultCare Health Plan
Published by the Office of Personnel Management, Office of Inspector General on 2016-01-21.
Below is a raw (and likely hideous) rendition of the original report. (PDF)